On Mon, Sep 15, 2003 at 02:35:58AM -0400, JondZ wrote: > alternatively, if you need to use telnet , open it but > control it thru tcp wrappers (/etc/xinetd.d/telnet in > newer redhat). I use telnet but allow only allow hosts > from my local net. Works great. >
Until someday someone decides to install a password sniffer on a box on your local network and sees all of your passwords going by in the clear. It is then a simple matter to hijack one of your tcp wrappers trusted hosts and access your supposedly "safe" host. Or if someone decides to mount an IP spoofing attack and pretends to be the target to one of your wrapped hosts (still possible with ssh, but not if you use it the way it is supposed to be used). IP addresses should never be considered trusted, not unless there is a cryptographic certificate of some sort standing behind it. Granted ssh does a less than optimal job of managing these trust relationships (the old versions of SSH blindly added certificates to the ~/.ssh/known_hosts file for instance), but it at least provides a framework on which you can do this. Strong authentication is an absolute necessity in this day and age, and getting into bad habits in this respect on what you might mistakenly feel are "safe" local networks ay translate into those same bad habits being used on dangerous public networks. In my mind, that's a good enough reason to deprecate the protocol altogether and never use it at all. Better not to use telnet at all, ever again. There are decent, Free ssh clients available even for lesser OSes like Windows that are better than the really terrible telnet client that MS appears to have shipped along with Windows as an afterthought, so that is no longer an excuse. The only good telnet or ftp is a Kerberized one. -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
